lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (SOLR-5520) Backport some security fixes from 4.x to 3.6.x branch
Date Mon, 02 Dec 2013 13:13:45 GMT


ASF subversion and git services commented on SOLR-5520:

Commit 1547011 from [~thetaphi] in branch 'dev/branches/lucene_solr_3_6'
[ ]

SOLR-5520: Backports of:
- SOLR-4881 (Fix DocumentAnalysisRequestHandler to correctly use EmptyEntityResolver to prevent
loading of external entities like UpdateRequestHandler does)
- SOLR-3895 (XML and XSLT UpdateRequestHandler should not try to resolve external entities)
- SOLR-3614 (Fix XML parsing in XPathEntityProcessor to correctly expand named entities, but
ignore external entities)

> Backport some security fixes from 4.x to 3.6.x branch
> -----------------------------------------------------
>                 Key: SOLR-5520
>                 URL:
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 3.6.2
>            Reporter: Uwe Schindler
>            Assignee: Uwe Schindler
>             Fix For: 3.6.3
>         Attachments: SOLR-4481-3895-36.patch, SOLR-4882-36.patch
> Redhat wants to backport some security fixes we applied in 4.1 and 4.6 to the Solr tree
to 3.6, because their user-base still uses this version. To help them with backporting across
the major API/version changes, we should also do this on the 3.6 branch.
> Redhat already assigned 3 CVE numbers to these issues and take the older issues seriously,
and they will patch older versions and also force users to upgrade. cf, [CVE-2013-6397|]
(SOLR-4882), [CVE-2013-6407|] (SOLR-3895),
[CVE-2013-6408|] (SOLR-4881).
> To fully fix, we might need to backport more patches. I will take care of this. This
issue may be useful, if we release a 3.6.3 package.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message